Method and system for preserving privacy related to networked media consumption activities

ABSTRACT

A method and system for preserving privacy related to networked media consumption activity including: Source privacy zones are defined and associated with privacy standards. Privacy standards include frequency criteria governing the storage of datasets including information associated with networked media consumption activity collected from the source privacy zone. Transaction requests including a networking protocol address are received over a network from a client device at a target location by a networked privacy system. The source privacy zone associated with the client device is identified. Using the networking protocol address to access characteristics having characteristic value(s), a dataset can be created including associating the networked media consumption activity with the characteristic and characteristic value(s). The dataset is pre-processed to comply with the privacy standards. The networking protocol address is discarded. The pre-processed dataset can be stored in a filtered database on a physical storage device at a storage location coupled to the networked privacy system.

FIELD OF INVENTION

The invention relates to methods and systems for preserving the privacyof networking protocol addresses collected by networked systems.

BACKGROUND OF INVENTION

Data such as networking protocol addresses and data related to visitorinteraction with networked systems such as internet media outlets andweb sites can be collected using a variety of techniques. For example,when an end-user operates a web browser on an internet enabled clientdevice such as a personal computer and attempts to view a website, theInternet Protocol (IP) address of the client device can be provided tothe web site. In some cases, this IP address may be recorded by the website or a third party system and coupled to additional data regardingthe client device and/or interaction such as the time of day, the typeof browser used, geographic location and an activity history withrespect to the web site.

The collection of networking protocol addresses such as IP addresses,coupled with other data such as data related to media consumptionactivities has raised privacy concerns among regulatory groupsassociated with various governments. For example, networked mediaoutlets serving international communities may be forced to comply withprivacy regulations which can vary from region to region.

What is needed is a system and method for preserving privacy related tonetworked media consumption activities while retaining the ability tocollect and analyze data associated with the interactions between clientdevices and networked systems.

SUMMARY OF INVENTION

The current invention is a method and system for preserving privacyrelated to networked media consumption activity. According to thecurrent invention, one or more source privacy zones are defined andassociated with privacy standards. Privacy standards include one or morefrequency criteria governing the storage of datasets includinginformation associated with networked media consumption activitycollected from the source privacy zone. Transaction requests including anetworking protocol address can be received over a network from a clientdevice at a target location by a networked privacy system. The sourceprivacy zone associated with the client device can be identified. Usingthe networking protocol address to access at least one characteristichaving at least one characteristic value, a dataset can be createdincluding associating the networked media consumption activity with thecharacteristic(s) and characteristic value(s). The dataset ispre-processed to comply with the privacy standards. The networkingprotocol address is discarded. The pre-processed dataset can be storedin a filtered database on a physical storage device at a storagelocation coupled to the networked privacy system.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 illustrates a networked privacy system for preserving privacyrelated to networked media consumption activities according to thecurrent invention; and

FIG. 2 illustrates a networked privacy system including multiple storagelocations; and,

FIG. 3 illustrates a method flow according to an example of the currentinvention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates a networked privacy system 100 for preserving privacyrelated to networked media consumption activities according to thecurrent invention. A networked privacy system 100 includes a transactionserver 120 coupled to a network 140, a data extractor 158, a privacystandards manager 164, a pre-processor 174 and a filtered database 160stored on a physical storage device 162.

According to the current invention, privacy zones with associatedprivacy standards can be established. A privacy zone can be a geographicregion where privacy standards can be established to regulate thestorage of data into a filtered database such as filtered database 160based on one or more frequency criteria. By preventing the storage ofsensitive and/or re-identifiable data in the filtered database, thecurrent invention supports preserving privacy related to networked mediaconsumption activities. For example, in some cases, the privacystandards can correspond to governmental policies or laws related toprivacy and/or security of personally identifiable information (PII) andthe privacy zone can correspond to the contiguous or non-contiguousphysical territory governed by the governmental policies and/or laws.

Privacy standards are associated with a source privacy zone and caninclude one or more frequency criteria to govern the storage of datasetsincluding information associated with networked media consumptionactivity collected within the associated source privacy zone. Oneexample of a privacy standard including a frequency criterion is:“Permit the storage of the client domain name associated with networkedmedia consumption activity for a particular client domain in thefiltered database as long as there are at least 500 media consumptionactivities originating from that client domain in a time window equal toone day.” The privacy standard includes: at least one characteristic (inthis case the client domain name) and at least one frequency criterion(in this case 500 media consumption activities per day). In thisexample, the frequency criterion is to be evaluated to with respect toeach separate client domain characteristic value (such asbigcompany.com, littlecompany.com, school.edu. etc.) for a time window(per day). In some cases, examples of the current invention can supportmore complex privacy standards such as privacy standards including morethan one characteristic, frequency criteria including sets ofcharacteristic values or characteristic value ranges, complex frequencycriteria based on models and/or frequency criteria which vary over time.In some examples, the time window can be a fixed time window or a movingtime window.

It is envisioned that in some embodiments of the current invention,nested source privacy zones could be supported. For example, a nestedsource privacy zone system could be used to enforce the differentprivacy regulations that might be apply based on local, regional andcountry-wide legislation or policies.

There is great interest in statistical data related to networked mediaconsumption activities. Privacy standards can be implemented inconjunction with the current invention to prevent re-identification andensure the privacy of end users within a geographic zone whilepreserving access to statistically valid data. For example, privacystandards can be used to prevent the storage of datasets because theyare too small and/or data ranges are too specific to preserve theprivacy of the end user. In some cases, the data extractor and/or thepre-processor can be configured to automatically support compliance withprivacy standards by deleting some data fields, replacing data indatasets with a broader data range and/or statistically obfuscating datain datasets before permitting storage in the filtered database, therebypreserving the statistical integrity of the data and the privacy of theend-user.

A Privacy Standards Manager 164 accesses the privacy standards and thedefinitions of the source privacy zones. In some cases, the privacystandards and/or the source privacy zone definitions can be centrallylocated or distributed across multiple systems and/or locations, butstill accessible by the Privacy Standards Manager.

Networked media outlets such as networked media outlets 166 and 168 canprovide media content such as media content over a network 140 such asthe Internet, an intranet, a cellular phone network, a cable televisionnetwork or combinations thereof. Examples of media content can includeweb pages, audio content, video content, networked gaming content, videoon demand, internet protocol TV (IPTV) or combinations thereof. Themedia content can be presented to end users through client devices 150,152 and 154 such as, but not limited to, personal computers, laptops,personal digital assistants (PDAs), cell phones and/or televisionsreceiving cable content using presentation devices 151, 153 and 155 suchas monitors, screens, televisions and/or audio speakers.

For example, a client device 150 located in a source privacy zone 156such as the European Union (E.U.) can access networked media contentfrom a networked content server 166 such as a website. By embeddingcommands in the website, the networked content server 166 can direct theclient device 150 to submit a transaction request such as an imagerequest which includes a request for a beacon from a third party systemsuch as the networked privacy system 100 according to the currentinvention. Beacons are also known as tracking pixels or clear GIFs(Graphics Interchange Format). The transaction request can include anetworking protocol address such as, but not limited to, an IP addressor a MAC address. In some cases, the transaction request can includeadditional information such as, but not limited to, cookies. In somecases, additional information which can provide and/or cross-referencedata such as, but not limited to, data related to the networked mediacontent, recent and/or historical interactions with the networked mediacontent and/or demographic data. In this example, the transactionrequest is an image request which is received over a network 140 by thetransaction server 120 of the networked privacy system 100 located inthe target location 20.

In some cases, the current invention can look-up, identify or guess thesource privacy zone associated with a transaction request from a client.For example, in some cases, information such as, but not limited to, anIP address, cookie or routing information inside a networking packet canbe used, in part, to make this determination. In some embodiments of thecurrent invention, the networked privacy system can discard transactionrequests which originate from a source privacy zone based on one or moreconsiderations such as, but not limited to, discarding a transactionrequest based on the identification of the source privacy zone or theprivacy standards of the source privacy zone. In some cases, thenetworked privacy system can re-route the transaction request to anotherportion of the networked privacy system such as, for example, a portionof the networked privacy system located in a different target locationwhich could have more attractive privacy standards based on the targetlocation and/or storage location. In some cases, transaction requestscould be re-directed for other reasons such as, but not limited to, loadbalancing considerations. For example, in some cases, the redirectionmay be accomplished by sending an HTTP command such as a temporaryredirect (HTTP 302) to the client device instructing the client deviceto resubmit the transaction request to a portion of the networkedprivacy system which is located in a different target location.

In some examples of the current invention, privacy standards can beestablished based on the location of the client device. In some cases,the location of the client device can be guessed based on the networkingprotocol address associated with the client device as reported in thetransaction request. The privacy standards can be used to govern thehandling of data associated with the client device based on the sourceprivacy zone; in some cases, the privacy standards can also be based onthe target location (where the transaction request is received) and/orthe storage location of the physical storage device. For example, aprivacy standard may prevent the look-up of any characteristic valuesbased on the networking protocol address of the client device. However,in some cases, the privacy standard may permit the current invention torecord a limited amount of data in the filtered database such as: anetworked media consumption activity occurred and a timestamp. In thisway, it can be possible to provide limited service and/or collectlimited data based on a client transaction request from a source privacyzone with restrictive privacy standards.

A variety of commercial services and commercial and/or private databasessuch as lookup service 170 can provide information based on a networkingprotocol address. For example, it is possible to use an IP address toobtain characteristic values for characteristics related to the clientdevice and/or client device location such as, but not limited to:country, geographic region, city, state, province, area code, metrocode, zip code, latitude, longitude, connection type, organization,domain name, ISP, netspeed/connection speed, proxy detection and/ormobile gateway detection. In addition, a network identifier such as anIP address can be used to obtain derived data such as language,currency, legal restrictions/regulations/tax laws, licensing/IP andcopyright agreements, time zone and/or demographic identifiers such asDMA® codes (Nielsen Designated Market Areas). Depending on the databaseand/or service used, the information obtained from a networking protocoladdress can represent precise, verifiable information. However, it isunderstood that in some cases, the characteristic values obtained from anetworking protocol address can represent an estimate, range,approximation, calculation, a probability or combinations thereof. Thelinkage of the networking protocol address or characteristics andcharacteristic values derived from the networking protocol address tothe media consumption activity can be sensitive. According to thecurrent invention, sensitive linkages can be established and protectedaccording to the source privacy zone where the client device is locatedbased on the privacy standard for the source privacy zone. In this way,the privacy standards governing the usage, and/or storage of thesensitive data can be applied and managed.

In this example, the data extractor 158 accesses the networking protocoladdress from the transaction server 120 and uses the networking protocoladdress to access one or more characteristics having one or morecharacteristic values. In some cases, the data extractor 158 can use oneor more local systems such as lookup tables 172 and/or remote systemsand/or databases such as optional lookup service 170 to access thecharacteristics and related characteristic values. In the exampleillustrated in FIG. 1, lookup tables 172 are internal to the dataextractor 158 and kept in fast access memory. However, it is envisionedthat in various embodiments of the current invention, lookup tables canbe stored external to the data extractor 158; for example, in somecases, the lookup tables can be co-located with the filtered database.In some embodiments of the current invention, the operation of the dataextractor can be subject to privacy standards. Note that in some cases,privacy standards can prevent the current invention from providing thenetworking protocol address to a remote system and/or database. However,in other cases, privacy standards may only prevent the current inventionfrom providing the networking protocol address to a remote system and/ordatabase when the networking protocol address is coupled to othersensitive data, making a simple look-up acceptable. In some cases,privacy standards may permit the use of a partial networking protocoladdress, such as the first few bits of an IP address, but restrict theuse of the complete IP address.

The pre-processor 174 is provided with access to the dataset includingcharacteristics and related characteristic values accessed by the dataextractor 158 in conjunction with the networked media consumptionactivity. The pre-processor 174 processes datasets to comply with allthe frequency criteria described in the privacy standards before thedataset can be inserted into the filtered database 160. In some cases,the dataset can be provided to an optional staging database 176, withthe staging database 176 accessible by the pre-processor 174. In theexample illustrated in FIG. 1, the staging database is stored in thepre-processor. For example, the staging database could be stored fastaccess memory. However, in other example of the current invention, it isenvisioned that the staging database could be external to thepre-processor. For example, in some cases, the staging database could beco-located with the filtered database. In some cases, other informationrelated to the networked media consumption activity such ascharacteristic times can also be provided to the pre-processor 174 andlinked to the characteristics and related characteristic values. In somecases, information related to the networked privacy system can beprovided to the pre-processor and optionally incorporated into thedataset such as, but not limited to, the receipt time of a transactionrequest at the networked privacy system.

The pre-processor 174 applies the privacy standards to the datasetsbefore allowing them to be written to the filtered database 160. In someexamples of the current invention, datasets which do not comply with atleast one privacy standard can be discarded or altered to comply. Insome cases, one or more characteristic values can be deleted or replacedin order to comply with the privacy standards. For example, one or morevalues or value ranges can be replaced with broader value ranges, noisecan be introduced to one or more characteristic values, and/or one ormore characteristic values can be subject to statistical obfuscation.For example, in some cases, statistical obfuscation can mean introducingnoise to the dataset so that individual values are changed in a way thatis meaningful over a large sample set. However, the change is notreversible, preventing the extraction of the original individual valuesfrom the statistically obfuscated fields.

In some examples, the pre-processor 174 can use a device such as, butnot limited to, a tally or database query to determine the frequency ofone or more characteristic values in order to apply frequency criteria.In some examples, the pre-processor can include models such as, but notlimited to, probabilistic and/or statistical models, to estimate thefrequency of one or more characteristics and then apply the frequencycriteria to the estimates. Examples of data structures used in modelsfor estimating frequency include, but are not limited to, Bloom filters,Aggregated Bloom Filters (ABFs), and Count-Min (CM) sketches. Forexample, a pre-processor can use Bloom filters or related datastructures to estimate the frequency of some characteristic values. Thepre-processor can use these estimates to determine compliance with thefrequency criteria. In some cases, the models may be based on previouslycollected data. In some cases, the models may be pre-configured based onpreviously collected data. For example, a Bloom filter can be pre-loadedwith previously collected data so that it has already “learned” thefrequency associated with various characteristic values.

In some examples, the pre-processor 174 can use aggregated data toassess compliance with the frequency criteria. For example, it isenvisioned that in some cases, the networked privacy system can bedistributed across multiple servers, systems, data centers, and/orlocations. In order to support high traffic applications, reliability,applications with client devices located in widespread geographiclocations and/or compliance with privacy laws, some examples ofnetworked privacy systems can include multiple instances and/ordistributed implementations of transaction servers, data extractors,pre-processors, optional staging databases and filtered databases, allsubject to the privacy standards. It is envisioned that aggregation canbe handled in a variety of ways such as, but not limited to, using acentrally managed aggregator, enabling peer-to-peer aggregation and/orcombinations thereof. For example, in some embodiments of the currentinvention, multiple pre-processors can be pre-processing datasets usinga model incorporating a Count-Min sketch data structure, in parallel. Toassess the frequency of a characteristic value, the pre-processor couldattempt to find the frequency based on an aggregate of the Count-Mindata structures managed by accessible pre-processors.

Note that some types of aggregation could be subject to privacystandards. For example, transferring collected data includinginformation associated with networked media consumption activity fromone location to another could invoke privacy standards with restrictionsbased on the storage location and/or privacy standards includingrestrictions on permissible data operations with respect to collectedinformation associated with networked media consumption activity.However, aggregating data associated with data structures which cannotbe queried to provide personally identifiable information would beunlikely to invoke privacy standards; for example some data structuressuch as, but not limited to, some types of Bloom filters, can be used toprovide frequency estimates for characteristic values, but cannot bequeried to provide personally identifiable information.

In some examples, the pre-processor 174 can temporarily store datasetsin the optional staging database 176. For example, the pre-processor canleave datasets which do not yet comply with frequency criteria in theoptional staging database 176. For example, a frequency criterion couldforbid the storage of datasets with a characteristic “domain name”unless there are more than 500 datasets with the same characteristicvalue per day. The pre-processor 174 can permit the first 500 datasetswith the characteristic value of “big_company.com” for thecharacteristic “domain name” to temporarily reside in the optionalstaging database 176. Sometime after the 501^(st) dataset with thecharacteristic value of “big_company.com” for the characteristic “domainname” arrives within a time window of one day, the compliant datasetscould be released by the pre-processor 174 for subsequent storage in thefiltered database 160.

Before storage in the filtered database 160, datasets are stripped ofthe networking protocol address, which is discarded. In some embodimentsof the current invention, this step can be executed in the pre-processor174. In some examples, the networking protocol address can be discardedby other portions of the networked privacy system such as the dataextractor 158, which could discard the networking protocol address afterusing it in the access of a characteristic value.

The physical storage device 162 is physically located in a storagelocation 163. For the example illustrated in FIG. 1, the storagelocation 163 and the target location 20 are co-located. However, it isenvisioned that in some embodiments of the current invention, storagelocation and the target location may not be wholly co-located; it isalso envisioned that storage location can be completely remote from thetarget location. The filtered database 160 is stored on physical storagedevices 162 such as magnetic disk drives, optical drives, flash drivesor combinations thereof incorporated into and/or coupled to thenetworked privacy server 100. Data including characteristics, with therelated characteristic values, can be stored on physical storage 162,and managed, maintained and/or accessed using the filtered database 160,subject to privacy standards.

To protect privacy, the threshold conditions in the frequency criteriacan be established based on a variety of parameters such as, but notlimited to, the characteristics of the end-user using the client device,characteristics of the client device and/or characteristics associatedwith the networked media consumption activity. A privacy standard canrestrict storing a dataset including elements with the business name ofthe client device's domain (with the business name extracted fromnetworking protocol addresses) in conjunction with a purchase history orbrowsing history unless the dataset includes a minimum number ofelements per business. For example, a complex or parameterized thresholdcondition could be set up to provide different thresholds for theminimum number of media consumption events associated with thecharacteristic “domain name” for businesses based on the estimatednumber of employees at the business.

A privacy standard can include frequency criteria related to two or morecharacteristic taken together. For example, a frequency criterion mayrestrict storage of datasets unless there at least 500 datasets with thecombination of the same domain name and the same zip code for a timewindow. For example, with a fixed window, that could mean that unless atleast 500 clients using the same Internet Service Provider (ISP) in thesame zip code are monitored within a one day time window by thepre-processor, none of them could be entered into the filtered database.In some examples, the time window can be a moving window, with theoldest non-compliant datasets aging off as time elapses. In someexamples, the time window can be a fixed time window, with dataassociated with expired time windows purged from the system.

In another example, a privacy standard can restrict the storage ofdatasets in conjunction with complex frequency criteria. For example,complex thresholds could be set up to require minimum counts for one ormore characteristic values based on multiple time windows. For example,frequency criteria may require thresholds for 5 minutes, 1 hour, 2hours, 1 day and 1 week time windows.

According to the current invention, frequency criteria associated withprivacy standards can be set to an absolute value, range of values, setof values or a profile. In some cases, the frequency criteria may varyaccording to time, day and/or date windows or be parameterized. Forexample, frequency criteria can be set differently for datasetsassociated with a client device located at a large company compared todatasets associated with a client device located at a small company,based on the domain name associated with the client device. In someexamples, a characteristic value such as a “domain name” could beevaluated based on sets of commonly owned domain names. In someexamples, frequency criteria could be set to one set of values at aknown high traffic time window and to another set of values at a knownlow traffic time window. In some cases, frequency criteria can beautomatically set based on past data collection. For example, if a fullweek of data collection shows that the number of clients in a sourceprivacy zone purchasing shoes at a shoe selling website was so largethat re-identification based on the source privacy zone and thecollected data and characteristics in the database would not be possibleor likely, a privacy standard can be established with respect to thatsource privacy zone that only prevents the exact time of the shoepurchase transaction from being stored in the filtered database.

In some examples, a privacy standard can optionally include restrictionson permissible data operations with respect to information associatedwith networked media consumption activity collected from the sourceprivacy zone. For example, in some cases, some or all characteristicvalue look-ups based on IP addresses (such as looking up a mailingaddress based on an IP address) can be forbidden by local law in aparticular geographic region. According to some embodiments of thecurrent invention, a source privacy zone can be established tocorrespond to that geographic region and a privacy standard can beestablished forbidding the lookup of a mailing address based on an IPaddress based on transaction requests originating from clients in thatsource privacy zone. For example, in some embodiments of the currentinvention, this element of the privacy standard can be enforced in thedata extractor 158 and/or the transaction server 120. Note that someprivacy systems support aggregation of data for a variety of reasonssuch as, but not limited to: configuring models, pre-configuring models,database management and/or assessing the frequency of one or morecharacteristic values; for these privacy systems, the aggregationoperations can be subject to privacy standards such as privacy standardsrestricting permissible data operations and/or privacy standardsincluding restrictions based on the target location and/or the storagelocation.

In the example illustrated in FIG. 1, the networked privacy system 100is a third party system with respect to the networked media contentservers 156 and 158, and the transaction requests can be related tomedia consumption activities associated with multiple networked contentservers. In some embodiments of the current invention, the networkedprivacy system can be dedicated to media consumption activitiesassociated with a single networked media content entity such as an IPTVnetwork or a large internet portal. The networked privacy system can bea third party system with respect to the single networked entity in thiscase, operated and/or maintained independently from the single networkedentity. However, the networked privacy system can also be implemented asan in-house tool resident on the same systems as the single networkedentity.

Some examples of filtered databases may be designated “exportable”,meaning that the filtered database is permitted to release data; in somecases, additional policies may be used to regulate the release of datasuch as policies related to security considerations. Some examples offiltered databases may be designated “partially exportable”, meaningthat the filtered database can be permitted to release some data to adestination, possibly subject to privacy standards and/or export ruleswhich can be based on the geographic location of the destination. It isenvisioned that a variety of other designations are possible. Anoptional security program can be used in conjunction with the currentinvention to manage exporting data from the filtered database.

FIG. 2 illustrates a networked privacy system 200 including multiplestorage locations 210, 220, 230 and 240. In this example, each storagelocation can be coupled to at least one pre-processor. In some examples,two or more storage locations can be coupled to the same pre-processor;in some examples a single storage location can be coupled to multiplepre-processors. In this example, the filtered databases are designated“exportable”. A roll up system 250 can be used to view and or collectdatasets which roll up from multiple storage locations, withoutcompromising the privacy standards specific to each storage location. Insome cases, a roll up system such as system 250 can also be used tosupport aggregation.

FIG. 3 illustrates a method flow according to an example of the currentinvention. An example method 300 begins when one or more source privacyzones are defined (Step 310); the method continues when a privacystandard is associated with each source privacy zone, including one ormore frequency criteria to govern the storage of datasets includinginformation associated with networked media consumption activitycollected from the source privacy zone (Step 320); the method continueswhen a transaction request is received in association with networkedmedia consumption activity including a networking protocol address, froma client device in a source privacy zone over a network at a targetlocation by a networked privacy system (Step 330); the method continueswhen the source privacy zone associated with the client device isidentified (Step 340); the method continues when the networking protocoladdress is used to access at least one characteristic having at leastone characteristic value, thereby creating a dataset includingassociating the networked media consumption activity with the at leastone characteristic having at least one characteristic value (Step 350);the method continues when the dataset is pre-processed to comply withthe privacy standards (Step 360); the method continues when thenetworking protocol address is discarded (Step 370); and, the methodcontinues when the pre-processed dataset is stored in a filtereddatabase on a physical storage device at a storage location and coupledto the networked privacy system (Step 380).

The order of the steps in the foregoing described methods of theinvention are not intended to limit the invention; the steps may berearranged.

Foregoing described embodiments of the invention are provided asillustrations and descriptions. They are not intended to limit theinvention to precise form described. In particular, it is contemplatedthat functional implementation of invention described herein may beimplemented equivalently in hardware, software, firmware, and/or otheravailable functional components or building blocks, and that networksmay be wired, wireless, or a combination of wired and wireless. Othervariations and embodiments are possible in light of above teachings, andit is thus intended that the scope of invention not be limited by thisDetailed Description, but rather by Claims following.

1. A method for preserving privacy related to networked mediaconsumption activity comprising the steps of: defining one or moresource privacy zones; associating a privacy standard with each sourceprivacy zone, including one or more frequency criteria to govern thestorage of datasets including information associated with networkedmedia consumption activity collected from the source privacy zone;receiving a transaction request in association with networked mediaconsumption activity including a networking protocol address, from aclient device in a source privacy zone over a network at a targetlocation by a networked privacy system; identifying the source privacyzone associated with the client device; using the networking protocoladdress to access at least one characteristic having at least onecharacteristic value, thereby creating a dataset including associatingthe networked media consumption activity with the at least onecharacteristic having at least one characteristic value; pre-processingthe dataset to comply with the privacy standards wherein pre-processingcomprises: temporarily storing at least one dataset in a stagingdatabase for a time window; and permitting the dataset to be written toa filtered database if the dataset in the staging database meets all thefrequency criteria described in the privacy standards within the timewindow; discarding the networking protocol address; and, storing thepre-processed dataset in the filtered database on a physical storagedevice at a storage location and coupled to the networked privacysystem.
 2. The method of claim 1 wherein the privacy standards furtherinclude restrictions on permissible data operations with respect toinformation associated with networked media consumption activitycollected from the source privacy zone.
 3. The method of claim 1wherein: the frequency criteria can include the frequency of multiplecharacteristic values taken together.
 4. The method of claim 1 wherein:the step of pre-processing includes using a model to estimate thefrequency of at least one characteristic value.
 5. The method of claim 4wherein the model is pre-configured.
 6. The method of claim 1 whereinthe step of pre-processing includes discarding characteristic valueswhich do not meet at least one frequency criterion described in theprivacy standard.
 7. The method of claim 1 wherein: the step ofpre-processing includes using aggregated data to assess the frequency ofat least one characteristic value.
 8. The method of claim 1 wherein thestep of pre-processing includes obfuscating characteristic values whichdo not meet at least one frequency limit described in the privacystandard.
 9. The method of claim 1 wherein the step of pre-processingincludes replacing characteristic values which do not meet at least onefrequency criterion described in the privacy standard with broader valueranges to satisfy the privacy standard.
 10. The method of claim 1wherein the privacy standard includes restrictions based on one or morelocations selected from the group of: the target location and thestorage location.
 11. The method of claim 1 wherein the privacystandards include one or more frequency criteria for characteristicvalues with the frequency criteria set based on examining data collectedin an earlier time window.
 12. The method of claim 1 further comprising:redirecting requests received from clients based on their source privacyzone to a device at another target location coupled to the networkedprivacy system.
 13. The method of claim 1 wherein the networked privacysystem includes devices disposed in different locations.
 14. A networkedsystem for preserving privacy related to networked media consumptionactivity comprising: a privacy standard manager for accessing sourceprivacy zone definitions and privacy standards including one or morefrequency criteria to govern the storage of datasets includinginformation associated with networked media consumption activitycollected from a source privacy zone; a transaction server for receivinga transaction request in association with a networked media consumptionactivity including a networking protocol address, from a client devicelocated within a source privacy zone over a network at a target locationby the networked privacy system; a data extractor for using thenetworking protocol address to access a characteristic having acharacteristic value, discarding the networking protocol address andcreating a dataset including associating the networked media consumptionactivity with the at least one characteristic having at least onecharacteristic value; a pre-processor for pre-processing the dataset tocomply with the one or more frequency criteria described in the privacystandards by temporarily storing at least one dataset in a stagingdatabase for a time window and permitting the dataset to be written to afiltered database if the dataset in the staging database meets all thefrequency criteria described in the privacy standards within the timewindow, thereby creating pre-processed datasets; and, a physical storagedevice located at a storage location and coupled to the networkedprivacy system for storing the pre-processed datasets in the filtereddatabase.
 15. The system of claim 14 wherein: the pre-processor includesa model for estimating the frequency of at least one characteristicvalue.
 16. The system of claim 15 wherein the model is pre-configured.17. The system of claim 14 wherein: the pre-processor operates usingaggregated data to assess the frequency of at least one characteristicvalue.
 18. The system of claim 14 further comprising: a staging databasecoupled to the pre-processor for temporarily storing at least onedataset for a time window.
 19. The system of claim 14 wherein thenetworked privacy system includes devices disposed in differentlocations.